Microsoft has determined the flaw is in the processing of embedded True Type Fonts (TTFs). According to Microsoft:

"The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

That's a pretty serious bug. In the terms security professionals usually use that means it has the ability for remote code execution (RCE) and elevation of privilege (EoP).

Microsoft is working diligently to provide a patch, but it is unlikely we will see it in this Tuesday's update from the software giant. They are simply committing to providing a quality fix whether that is in an out-of-cycle update or in the December Patch Tuesday.

Microsoft has offered a FixIt download tool that will disable support for embedded TTFs to provide protection against the flaw.

The problem with that is it will prevent any applications that rely on embedded TTFs from rendering properly. This is a common practice in Microsoft Office documents, browsers and document viewers.

I expect Microsoft won't waste too much time getting a fix out for this one, and the risk of being exploited through this bug is extremely low for most organizations.

As SophosLabs further analyzes this threat we will post updates here on Naked Security.

I'm trying to reconcile how on one hand we call this a pretty serious bug, but on the other say the risk is very low. I understand that the major antivirus vendors have definitions, but historically, major viruses have morphed into new variant very quickly.

I'm also trying to determine the impact of implementing the workaround. How widespread is the use of embedded truetype fonts? I have two laptops, one with the dll disabled and one without. I have been hitting bunches of website and loading Word and Powerpoint documents, side-by-side. I have yet to come across anything with noticeable font issues.

If the exploit becomes more widely known, it is a very serious risk. At this point only researchers and the attackers using it in a targeted manner are aware of it making the current risk to people who are not being targeted by these attackers quite low.

This is called a "Windows kernel vulnerability", but I was curious whether this vulnerability might also apply to True Type Fonts (TTFs) installed on a Mac. Apparently it doesn't...or at least Microsoft's security advisory page at http://support.microsoft.com/kb/2639658 (the same page linked in the article, above) makes no mention of applicability to TTFs on Mac OS X. In fact, the page contains the following "System Tip":

"This article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled."

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics.
You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.